Move by State Attorneys General on “Street View” Exemplifies Online Privacy Compliance Challenges

Over two months ago, Internet search giant Google acknowledged that in the course of collecting information for its Google Maps Street View project, its roving vehicles inadvertently collected data, such as bits of web pages and email messages, over public, unsecured Wi-Fi networks. This disclosure inspired numerous investigations overseas, calls by members of Congress for a Federal Trade Commission (FTC) investigation, and, of course, parasitic class action lawsuits. After being relatively silent since May, the normally ubiquitous state attorneys general (state AGs) have now arrived on the scene in force, with Connecticut’s Richard Blumenthal acting on behalf of 37 of his fellow AGs. On July 21, Blumenthal sent Google a letter asking 13 questions on Street View and the Wi-Fi incidents.

The news release, and especially its headline (“CT Attorney General Seeks Additional Information on Google Street View Snooping), is characteristically inflammatory. The letter refered to ongoing individual state investigations on this “significant privacy issue” and, without citing any underlying legal authority, demanded “prompt and forthright responses” to the detailed questions.

The state AGs’ high-profile move to inject themselves into the Street View privacy matter reflects a number of challenging realities for any American enterprise whose business involves collecting and/or storing consumers’ data online. Consumer protection officials and politicians perceive that privacy in the online world is of overarching public concern, and they are going to seize upon any opportunity to be seen “doing something” to protect privacy. That even includes, as Google found, situations where companies come forward and acknowledge lapses in security and take action. Businesses’ compliance imperative has never been greater, and more resources will continue to be shifted toward data security and protection.

This leads to another reality that makes such compliance needlessly costly and complex. As a group of public interest activists recently wrote to FTC Chairman Leibowitz, “privacy law in the United States is in disarray,” and “U.S. law in this area is piecemeal.” Various laws and regulations, at both the federal and state level, nominally apply to online privacy, and many of them are woefully outdated. A coalition including scores of tech companies and consumer advocates, for instance, are pushing to update the Electronic Communications Privacy Act. The 1986 law provides more privacy protection to those who store their data locally, contrary to the trend of keeping such data offsite in “the cloud.” Some of those same companies and activists advocate new federal laws which could centralize privacy standards and enforcement. Last week, a House Energy and Commerce Committee subcommittee heard testimony on a proposal known as the “BEST PRACTICES Act,” which, to the chagrin of some business interests, includes greater authority for state attorneys general and a “private right of action” empowering plaintiffs’ lawyers to sue for claimed privacy violations.

Until greater clarity and uniformity can be achieved in online privacy law, affected businesses will continue to develop and apply self-regulatory programs which must inefficiently react to a spider’s web of repetitive and sometimes conflicting laws and regulations. Legal certainty and predictability are two necessary elements for innovation and growth, especially for technology; lack of both will chill entrepreneurship, and impair job creation. Enforcement actions such as those which could result from the state AGs’ questions of Google, or from requests by consumer groups, such as one demanded recently against Facebook, will keep regulators busy and provide fodder for activist non-profits’ fundraising efforts. But this piecemeal approach offers no long-term benefit to Americans or their personal privacy online.